Any email or message from your manager is meant to catch your immediate attention. You usually drop whatever you are doing and react immediately, even if it after work hours. But, next time, be extra wary. Depending on the content of the message, you may want to double-check that your boss is actually the one texting you.
Analysts at cybersecurity firm CloudSEK have found a spear phishing campaign targeting companies wherein a specific form of a message purportedly coming from superiors or CEOs may actually be a fraud. In these messages, the threat actor pretends to be the company’s CEO and sends a WhatsApp message to colleagues (mostly top-level executives) on their personal phone numbers.
“CloudSEK team unveiled a spear phishing campaign targeting multiple IT firms where scammers were sending WhatsApp messages to top tier employees’ personal numbers pretending to be their CEO. The research unveiled lead generation and business information tools being misused by these scammers to extract personal phone numbers,” said a CloudSEK researcher.
Modus operandi of the scam
The scam starts with employees receiving an SMS-based message from an unknown number allegedly impersonating a top-ranking executive from the organisation. The reason for impersonating the top-ranking executive is to instill urgency and panic. If the receiver acknowledges the scammer with a response, the threat actor/scammer would request to complete a quick task. The quick tasks include purchasing gift cards for a client or employee and/or wiring funds to another business. In some cases, the scammer may ask employees to send personal information (like PINs and passwords) to third parties, often providing a plausible reason to carry out the request.
CloudSEK researchers say threat actors use commanding and persuasive language to convince the email victim to respond. The timeline to execute this action will be short and the task urgent and in some cases, they will send multiple messages asking when the request will be completed and stress the importance of this action.
How credentials are stolen
Well, senior employees of the organisation can be looked up from Linkedin. Threat actors then use popular sales intelligence or lead generation tools such as Signalhire, Zoominfo, Rocket Reach to gather email ids, phone numbers, and more. These online databases of businesses have their methodologies for obtaining, verifying, and then selling an entity’s employees’ contact details.
Raise employee awareness CloudSEK officials emphasise that cybersecurity awareness programmes must be organised for all employees. Also, any payment requests with new or amended bank details received by email, letter or phone should be independently verified. Additionally, be cautious of how much information you reveal about your company and key officials via social media platforms and over the internet.
